Changes published in 2021 went into final effect in June 2023. Now, regulators are stepping up their review.

We've been seeing the impact of the updated CyberSecurity examinations prompted by the December 2021 FTC rule revisions. Regulators are dumping massive checklists into the exam load, and most companies don't have the bandwidth to address it. It's a hefty load, but it's worth going through to establish a baseline.

Click here for the updated rule

Click here for the CSBS Model Examination Form for non-banks

The word you will see the most in an examination citation is "implementation." This means that, no matter how good your model policy is, if you're not doing - or have evidence that you can do - the things the rule requires, you'll likely be cited.

Like every good compliance program, policies and procedures are simply part of a complete IT Security Plan. There are 4 pillars of every compliance program:

a compliance officer,
policies and procedures
training, and
testing/auditing.

Most of the policies we've seen are precisely that - policies. There is very little procedure. In other words, the model form says, "We will comply," but doesn't say, "This is how we comply." This is the most significant difference between our products and those written by lawyers or compliance experts.

Location of IT Security Questionnaire Items in 2-9 IT/CyberSecurity Plan

States Strictly Enforcing GLB Compliance

DC
Maryland
Massachusetts
Virginia
Texas
New York

Remember to add those non-policy items

List of hardware (investor)
List of software and cloud services
List of vendors (investors, office tech, processors, etc. )
Cyber Insurance Policy

Tools for Self-Training

MortgageManuals.com provides training for our customers' Non-NMLS employees.

Tools for Self-Audit

We provide the tools for a self-assessment, but if you want a third party risk assessment we do that here.